Version 1.1 of ais/ai-00303.txt

Unformatted version of ais/ai-00303.txt version 1.1
Other versions for file ais/ai-00303.txt

!standard C.3.1 (08)          02-07-10 AI95-00303/01
!standard C.3.1 (13)
!class binding interpretation 02-07-10
!status work item 02-07-10
!status received 02-06-21
!qualifier Error
!priority Low
!difficulty Medium
!subject Library-level requirement for interrupt handler objects
!summary
C.3.1(8) applies in the private part of an instance.
A run-time check is applied in instance bodies that objects of protected types containing Interrupt_Handler pragmas are library-level.
!question
The legality rule C.3.1(8) says:
The Interrupt_Handler pragma is only allowed immediately within a protected_definition. The corresponding protected_type_declaration shall be a library level declaration. In addition, any object_declaration of such a type shall be a library level declaration.
However, this is a contract model violation. Consider:
package P is protected type Handler is procedure My_Handler; pragma Interrupt_Handler (My_Handler); ... end Handler;
generic type L is limited private; package G is procedure Something; ... end G; end P;
package body P is protected body Handler is .. end Handler;
package body G is O1 : L; procedure Something is O2 : L; begin ... end Something; end G;
end P;
with P; procedure Main is package HG is P.G (P.Handler); --??? begin ... end Main;
Clearly, we want C.3.1(8) to apply to O1 and O2. However, 12.3(11) says that legality rules are not enforced in the private part and body of instances. Thus, no check is made here.
For HG, we want both O2 and O1 to be illegal. However, if we moved the instantiation of HG to the library level, only O2 is illegal. Clearly the check depends both on the actual parameter and the location of the instantiation.
When and how is this check done?
!recommendation
(See summary.)
!wording
(See corrigendum.)
!discussion
The usual solution to contract model problems in generic bodies is to use an "assume-the-worst" rule. However, such a rule in this case would prevent declaring any objects of a limited private type. Such an incompatibility would be unacceptable, especially for such a rare case.
Another possible solution would be to prevent such protected types from matching generic limited private types. This seems very inconsistent with the rest of the language.
So we have adopted a run-time check in instance bodies. This check is very similar to the accessibility check (see 3.10.2(28-29)). In most implementations, this check can be made at compile-time, but implementations using some form of generic sharing may have to make the check at runtime.
This rule unfortunately adds overhead to generic sharing implementations for an extremely unlikely case. Luckily, this overhead can be avoided in a partial sharing implementation (where instantiations with protected type actuals are not shared), so this affects only a handful of implementations.
!corrigendum C.3.1(8)
Replace the paragraph:
The Interrupt_Handler pragma is only allowed immediately within a protected_definition. The corresponding protected_type_declaration shall be a library level declaration. In addition, any object_declaration of such a type shall be a library level declaration.
by:
The Interrupt_Handler pragma is only allowed immediately within a protected_definition. The corresponding protected_type_declaration shall be a library level declaration. In addition, any object_declaration of such a type shall be a library level declaration. In addition to the places where Legality Rules normally apply (see 12.3), this rule applies also in the private part of an instance of a generic unit.
!corrigendum C.3.1(13)
Insert after the paragraph:
When a handler is attached to an interrupt, the interrupt is blocked (subject to the Implementation Permission in C.3) during the execution of every protected action on the protected object containing the handler.
the new paragraph:
For any object of a type containing a Interrupt_Handler pragma, a check is made that the object is declared at the library level. If this check fails, Program_Error is raised.
!ACATS test
A C-Test should be created to check that this rule is checked in an instance body (the example above). Add a test case to BXC3002 to check that this rule is enforced in the private part of a generic instance.
!appendix

At the Vienna ARG meeting, an objection was raised to having a requirement
that an object declaration for a time handler be library-level. The objection
was that this was a contract model violation.

Randy pointed out that the language already includes such a rule in C.3.1(8).
The ARG decided that this rule needs to be fixed, with a run-time rule similar
to that used for accessibility.

See the minutes of that meeting for more information.

****************************************************************

From: Randy Brukardt
Sent: Wednesday, July 10, 2002  7:49 PM

One of the assignments I was given at the recent ARG meeting as to write an
AI about C.3.1(8), as Steve Baird pointed out that it was a contract model
violation. (This came up in the context of an unrelated proposal.)

I've attached my version of that AI. I'd like to point out the problem isn't
so much the contract model violation, but rather that the standard rule for
legality rules says that they are not enforced in a generic private part or
body. That means that this problem (admittedly minor) will not be detected
at all, which could cause obscure problems if it is encountered in practice.

Comments on the AI are welcome. (Note: It hasn't been posted on the web site
yet.)

****************************************************************

From: Jean-Pierre Rosen
Sent: Thursday, July 11, 2002  5:00 AM

I assume that this checks happens at the time the object declaration is
elaborated. Might be worse mentionning though...

****************************************************************

Questions? Ask the ACAA Technical Agent